Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    ec1684dc17f4518c984b32b42433db09eb8a9d3d38040ce1467f3d7d6d25606d

  • Size

    439KB

  • Sample

    240901-eaks8s1djb

  • MD5

    252cee8587edbb53c77d90e5c4295c60

  • SHA1

    bdb25d867097a94a703a20195fbd9682cf4c0d51

  • SHA256

    ec1684dc17f4518c984b32b42433db09eb8a9d3d38040ce1467f3d7d6d25606d

  • SHA512

    012385591620e0d96815e840d039d6cdb7ac0235ed729d9e8e6fa605b3a2a40bc0f2d8bde4ef4dd53cccc62db28c78930346e26ab98b204e8deed28c789efd2f

  • SSDEEP

    12288:Cun15GNq4sWAcfFBmsPTfABCw44dAxn+eG+6v6290cPwaJ:N2NqF46sjdwI4eGHw4

Malware Config

Extracted

Family

xworm

Version

5.0

C2

91.92.120.13:7099

Mutex

ZCamGCh7lBqmpyCR

Attributes
  • install_file

    USB.exe

aes.plain

Targets

    • Target

      39962cdef1efccb262b01e3bc41e4380ed1f925885f1a22178e505f5c440887a.exe

    • Size

      501KB

    • MD5

      6b34408cb796d4e16a6caa577ebce6b9

    • SHA1

      f011ab355ac5a00204c033f3ac73848f6ce4c0ee

    • SHA256

      39962cdef1efccb262b01e3bc41e4380ed1f925885f1a22178e505f5c440887a

    • SHA512

      344defa68966df547a0504ee221a2037f737d469e0c496009209f9334589f0f73ac69226bb74ea60eb116332ccaefa0d5c1f8972a5b9d34628d9bfcc4147ea84

    • SSDEEP

      12288:E2iNErX80k+laBnUISbE0u9QgYZoXONvIGc2:E1ij8v+MKjbE0ul+Nx

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks